1. Field
The present disclosure relates generally to an improved computer network and, in particular, to a method and apparatus for a computer network defense system. Still more particularly, the present disclosure relates to a method and apparatus for using deception to protect a computer network.
2. Background
Many organizations employ computer networks in day-to-day activities. These activities include activities such as payroll, human resources, research, sales, marketing, and other suitable activities. These types of activities often include connectivity of internal computer networks to the outside world through the Internet.
More often, organizations are attacked and compromised by adversaries. The adversaries may steal information about customers, transactions, research, or other confidential or sensitive information. In other cases, adversaries may take actions that cause the organization to be unable to perform at a desired level.
In protecting computer networks from adversaries, various tools are currently present for use by organizations. These tools include signature-based detectors, whitelisting, blacklisting, intrusion detection and protection systems, and other suitable types of tools.
Actions that may be taken using these types of tools include, for example, unplugging compromised hosts, quarantining compromised hosts, and other suitable actions. These types of actions, however, are reactionary and do not provide an ability to obtain insight into the actions taken by an adversary attacking computer network. This type of information is often useful in mitigating the effects of a current attack or protecting against future attacks on a computer network.
One solution involves the use of honeypots. A honeypot is a trap that is used to detect, deflect, or in some other manner counteract the attempts at unauthorized use of a computer network. With a honeypot, a portion of the network system may be isolated from the rest of the network. The honeypot may contain information or resources that may be desirable to an adversary. This honeypot may monitor or obtain information about the actions performed by an adversary.
However, the use of honeypots has not been effective, particularly when honeypots can be detected. Honeypots often do not provide a sufficiently realistic environment in which the adversary will perform actions to show its capabilities.
Thus, despite the expenditure of significant amounts of money and effort, computer networks are not as secure against attacks from adversaries as desired. Further, attacks from adversaries are becoming more aggressive and widespread. Therefore, it would be desirable to have a method and apparatus that take into account at least some of the issues discussed above, as well as other possible issues. For example, it would be desirable to have a method and apparatus that overcome the technical problem with obtaining information about an adversary to mitigate the current attack or prevent future attacks on a computer network.